Zitadel: default changeme password wasn't strong enough

secrets/default.nix

@@ -1,40 +1,37 @@
-{config, ...}: let
+{
+  config,
+  lib,
+  ...
+}: let
+  inherit (lib) mkIf;
+  inherit (config.niksos) server;
+
   serviceUser = x: config.systemd.services.${x}.serviceConfig.User;
+  abstrServiceUser = x: config.services.${x}.user;
 in {
   age.secrets = {
-    transferSh = {
-      file = ./transfer-sh.age;
-      owner = "jsw";
-    };
-    dcbot = {
-      file = ./dcbot.age;
-      owner =
-        if config.niksos.server
-        then serviceUser "dcbot" # "dcbot" doesn't exist on e.g laptop.
-        else "root";
-    };
-    bread-dcbot = {
-      file = ./bread-dcbot.age;
-      owner =
-        if config.niksos.server
-        then serviceUser "bread-dcbot" # "dcbot" doesn't exist on e.g laptop.
-        else "root";
-    };
     password.file = ./password.age;
-    matrix-registration = {
+
-      file = ./matrix-registration.age;
+    # NOTE: server things
-      owner =
+    dcbot = mkIf server {
-        if config.niksos.server
+      file = ./dcbot.age;
-        then config.services.matrix-continuwuity.user
+      owner = serviceUser "dcbot"; #
-        else "root";
     };
-    cloudflare-acme.file = ./cloudflare-acme.age;
+    bread-dcbot = mkIf server {
-    mail-admin = {
+      file = ./bread-dcbot.age;
-      # owner = #FIXME: revert when stopped using docker for stalwart.
+      owner = "bread-dcbot";
-      #   if config.niksos.server
+    };
-      #   then serviceUser "stalwart-mail"
+    matrix-registration = mkIf server {
-      #   else "root";
+      file = ./matrix-registration.age;
+      owner = abstrServiceUser "matrix-continuwuity";
+    };
+    mail-admin = mkIf server {
+      # owner = serviceUser "stalwart-mail"; #FIXME: revert when stopped using docker for stalwart.
       file = ./mail-admin.age;
     };
+    zitadel-key = mkIf server {
+      file = ./zitadel-key.age;
+      owner = abstrServiceUser "zitadel";
+    };
   };
 }

secrets/secrets.nix

@@ -18,6 +18,6 @@ in {
   "dcbot.age".publicKeys = keys;
   "bread-dcbot.age".publicKeys = keys;
   "matrix-registration.age".publicKeys = keys;
-  "cloudflare-acme.age".publicKeys = keys;
   "mail-admin.age".publicKeys = keys;
+  "zitadel-key.age".publicKeys = keys;
 }

secrets/zitadel-key.age

@@ -0,0 +1,15 @@
+age-encryption.org/v1
+-> ssh-ed25519 GQzYWA YUoGdx518q+GhqnOVeuHxWE4//2KgVTXJCu4ULUkly8
+XIxa/FaGC5XBcrsvhZq5rOgX5vNDfFvcDCsamN7vHJ8
+-> ssh-ed25519 MfR7VA 9btD5WmqZdQ54uJYVNwU3Z5DBIlACbYfqGe1wPZwd30
+QecwT2R+BkQrGmorYcMuXHyy/TG7JjBdH2fp3W9zCBU
+-> ssh-ed25519 +cvRTg UZnkgS+9oRLgEI/vdLFIAPbUG4V5iAuB4Z74D/quXzE
+vxWJZI/SZKH1j8bnI4xC8+TIIANqMOkIDej+BWzDJwE
+-> ssh-ed25519 WCPLrA OVnublQtCOFFo7+vcKGmCY3B3FkvLvQ6GaU7xMx8uQY
+PuMamZqF3vCqgmpcTGQinIdbjOOpHtrmKfOXlL924Rk
+-> ssh-ed25519 7/ziYw nYxpO5kaGDOyGUEFxryEhT0XqWf0Oc1RgprYaPjC33c
+UseYaBeWvetviCf1FHncVNko86ji+GX9AdyDic2A1Og
+-> ssh-ed25519 VQy60Q ok1oP3f7nWBd/6DyJFDnsv/Lb2/bwHY0cvmHI386IFM
+t5rIZBUz5jav6tUo01ASMzYtHoW4+cKBZ2lzmxSI7IA
+--- NZ9UXYlEIcw3VPFqDswXhSecW1zqcCeKivJoHC1zKA8
+“JçëªÐqUÐ0¿]D_ÿ—’Õ<>Óáz=é´1͞׶S–!-.t‰="†„ç·¿¸eÂ<KÈáéïö[

system/server/default.nix

@@ -10,6 +10,7 @@
     ./matrix.nix
     ./seafile.nix
     ./temp.nix
+    ./zitadel.nix
   ];
   options.niksos.server = lib.mkEnableOption "server servcies (such as caddy)."; #TODO: per service option.
 }

system/server/zitadel.nix

@@ -0,0 +1,86 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  ExternalDomain = "z.jsw.tf";
+  Port = 9000;
+in {
+  config =
+    lib.mkIf config.niksos.server
+    {
+      services.caddy.virtualHosts.${ExternalDomain}.extraConfig = ''
+        reverse_proxy localhost:${builtins.toString Port}
+      '';
+
+      # services.zitadel = {
+      #   enable = true;
+      #   masterKeyFile = config.age.secrets.zitadel-key.path;
+      #   settings = {
+      #     inherit Port ExternalDomain;
+      #     ExternalPort = 443;
+      #   };
+      #   extraSettingsPaths = [config.age.secrets.zitadel.path];
+      # };
+      systemd.services.zitadel = {
+        requires = ["postgresql.service"];
+        after = ["postgresql.service"];
+      };
+
+      services = {
+        zitadel = {
+          enable = true;
+          masterKeyFile = config.age.secrets.zitadel-key.path;
+          settings = {
+            inherit Port ExternalDomain;
+            ExternalPort = 443;
+            Database.postgres = {
+              Host = "/var/run/postgresql/";
+              Port = 5432;
+              Database = "zitadel";
+              User = {
+                Username = "zitadel";
+                SSL.Mode = "disable";
+              };
+              Admin = {
+                Username = "zitadel";
+                SSL.Mode = "disable";
+                ExistingDatabase = "zitadel";
+              };
+            };
+            ExternalSecure = true;
+          };
+          steps.FirstInstance = {
+            InstanceName = "jsw";
+            Org = {
+              Name = "jsw";
+              Human = {
+                UserName = "jsw@jsw.tf";
+                FirstName = "Jurn";
+                LastName = "Wubben";
+                Email.Verified = true;
+                Password = "Changeme1!";
+                PasswordChangeRequired = true;
+              };
+            };
+            LoginPolicy.AllowRegister = false;
+          };
+          openFirewall = true;
+        };
+
+        postgresql = {
+          enable = true;
+          enableJIT = true;
+          ensureDatabases = ["zitadel"];
+          ensureUsers = [
+            {
+              name = "zitadel";
+              ensureDBOwnership = true;
+              ensureClauses.login = true;
+              ensureClauses.superuser = true;
+            }
+          ];
+        };
+      };
+    };
+}